General

  • Target

    2025-06-03_50ac6f3a7f6500da75f906a6dd0d7022_black-basta_coinminer_ryuk_sliver

  • Size

    3.4MB

  • Sample

    250603-y7kpaawwex

  • MD5

    50ac6f3a7f6500da75f906a6dd0d7022

  • SHA1

    7e6516a528665dc4d308d416928de8916c15373b

  • SHA256

    b5dc7fc4d0eebe44488c7d45b10006705f1210098fcc24bad04c0b7a553c0665

  • SHA512

    b8bcaf2c81b259df7ccdfc8b88c1ee692f5262165c0768c40d90890b0b0661d415946734cfdc69e681970c3f1af54356e2f9e362f625487a01ace2cb3f0684f6

  • SSDEEP

    49152:VdZEy2B6vflQf6X8uZQoy3vR6QVQy5Z+bm4M/HMFvfGW0/7Z7Ib3jxw5b/:nHvfGfZvZj1/N/z/owJ/

Malware Config

Extracted

Family

meshagent

Version

2

Botnet

PORTO

C2

http://blueremote2.bluedu.com.br:443/agent.ashx

Attributes
  • mesh_id

    0x358C7C4D2722C36F1BCE1F60A9FE5644D8F2F8EA5140F6150A86A52A6A4B735EB3DB213727124E193CB2998060ADC096

  • server_id

    09CF688FAB1FD135204D712C6D209E0AAA2D7F5A12FE300048608A24CB168269A6A855351B6FC7A913919EEFA9F0B316

  • wss

    wss://blueremote2.bluedu.com.br:443/agent.ashx

Targets

    • Target

      2025-06-03_50ac6f3a7f6500da75f906a6dd0d7022_black-basta_coinminer_ryuk_sliver

    • Size

      3.4MB

    • MD5

      50ac6f3a7f6500da75f906a6dd0d7022

    • SHA1

      7e6516a528665dc4d308d416928de8916c15373b

    • SHA256

      b5dc7fc4d0eebe44488c7d45b10006705f1210098fcc24bad04c0b7a553c0665

    • SHA512

      b8bcaf2c81b259df7ccdfc8b88c1ee692f5262165c0768c40d90890b0b0661d415946734cfdc69e681970c3f1af54356e2f9e362f625487a01ace2cb3f0684f6

    • SSDEEP

      49152:VdZEy2B6vflQf6X8uZQoy3vR6QVQy5Z+bm4M/HMFvfGW0/7Z7Ib3jxw5b/:nHvfGfZvZj1/N/z/owJ/

    • Detects MeshAgent payload

    • MeshAgent

      MeshAgent is an open source remote access trojan written in C++.

    • Meshagent family

    • Sets service image path in registry

    • Executes dropped EXE

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks